Skip to content
/ aevt_decompile Public

This is a work-in-progress command line tool for reversing run-only AppleScripts. It will help parse the output of applescript-disassembler.py into something more human-readable.

labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts
64 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SentineLabs/aevt_decompile

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
aevt_decompile.xcodeproj
aevt_decompile.xcodeproj
 
 
aevt_decompile
aevt_decompile
 
 
README.md
README.md
 
 

Repository files navigation

aevt_decompile

Read the blog post: https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts

This program provides further decompiling and decoding of a disassembled run-only AppleScript.

For input, use a text file that is the output of https://github.com/Jinmo/applescript-disassembler

Running this program will create a new file from the input file annotated with:

  1. AEVT codes and their human-readable descriptions;
  2. Decoded hard-coded strings;
  3. Decimal conversions of hard-coded hex numbers;
  4. Names of targeted applications.

Usage: aevt_decompile <file>

where <file> is a text file output from the AppleScript-Disassembler.

aevt_decompile writes its output to ~/Desktop/<file>.out. aevt_decompile is non-destructive (i.e., it does not modify the input file).

About

This is a work-in-progress command line tool for reversing run-only AppleScripts. It will help parse the output of applescript-disassembler.py into something more human-readable.

labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts

Resources

Readme
Activity
Custom properties

Stars

64 stars

Watchers

9 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages